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Abstract 


We study two functionals of a random matrix A with independent elements 
uniformly distributed over the cyclic group of integers {0,1 ,,M — 1} modulo 
M. One of them, Vo (A) with mean y, gives the total number of solutions for a 
generalised birthday problem, and the other, W{A) with mean A, gives the number 
of solutions detected by Wagner’s tree based algorithm. 

We establish two limit theorems. Theorem |2.1| describes an asymptotical be¬ 
haviour of the ratio A/g as M-> oo. Theorem 2.2 suggests Chen-Stein bounds for 


the total variation distance between Poisson distribution and distributions of Vo 
and W. 
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1 Introduction 

Let (N, M, L) be three natural numbers larger than or equal to 2. Assume that we have 
a random matrix 

A = (dij), 1 < i < L, 1 < j < N (1) 

with independent elements which are uniformly distributed on {0,1,..., M — 1}. 

Let J = {1,..., L} n be the set of matrix positions, so that \J\ = L N . For each b e 

{0,1,..., M — 1}, define Vj, = H(A) as the number of vectors i = (A, • • •, A) G J with 

Oji,l + • • • + CLi N ,N ~ b, 

where the sign = means equality modulo M. Clearly, ' H = L N , so that by the 

assumption of uniform distribution, 

y := E(Vb) = L n M-\ 

The problem of finding all Vq zero-sum vectors 

— (0*1,1) ■ ■ •) Oijv.Af)) i (fii ■ ■ ■ i In') € J (2) 
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for a given matrix A, can be viewed as a generalised birthday problem. It arises naturally 
in a variety of situations including cryptography, see [Tj and reference therein; ring linear 
codes [3j; abstract algebra, where in the theory of modules it is related to the notion of 
annihilator, see e.g. [3]. This problem can be solved only by exhaustive search and is 
TVP-hard [6j. Wagner |7J proposed a subexponential algorithm giving hope to quickly 
detect at least some of the solutions to this kind of problems. 

Assume that N = 2 n , n > 1 and M = 2 m + 1, m > n. It will be convenient to use 
the symmetric form 

D m :={~ 2 m -\...,-l,0,l,...,2 m - 1 } 

of {0,1,..., M — 1} as the set of possible values for a VJ . Wagner’s algorithm has a binary 
tree structure, see Figure [lj starting from N leaves at level n and moving toward the top 
of the tree at level 0. For a given a vector x = (aq,... ,X 2 n) with Xj G D m the algorithm 
searches for the value 

H n {x) := x\ n) G D m _ n U {A}, (3) 

obtained recursively in a way explained next (the special state A indicates that the 
algorithm is terminated and a solution is not found). Put Xj = x r For h = 1,... ,n 



Figure 1: Wagner’s algorithm 
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and put x ( j l> = A otherwise. In particular, if 'x'l' = A for at least one of the two indices 

k G {2 j — 1, 2 j}, then x^ = A. 

A vector x will be called a Wagner’s solution to the generalised birthday problem, if 
H n (x ) = 0. The total number W = W(A) of Wagner’s solutions among the vectors (j2| 
has mean 

A := E(W) = fV, 

where 

Pn,m ■ P(T/n(®i) 0); f G J. 

The proportion of Wagner’s solutions can be characterised by the ratio of the means 


Rn,m ■— X/p — (2 ? " + 1 )Pn,m 


( 4 ) 
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Clearly, R n ^ m is the conditional probability of a given zero-sum random vector to be 
Wagner’s solution. 

There is a growing number of papers studying the properties of various tree based 
algorithms with some of them, in particular [5], suggesting further developments of Wag¬ 
ner’s approach. The main results of this paper are stated in the next section. Theorem 
2.1 gives an integral recursion for calculating the limit for the key ratio Q. Theorem 2.2 
suggests Chen-Stein bounds for the total variation distance between Poisson distribution 
and distributions of Vo and W. (Among related results concerning speed of convergence 
for functional of random matrices over finite algebraical structures we can only name a 
recent paper (2j.) 


2 Main results 

Define a sequence of polynomials {0 n (x)}„>i by 


4> n (x) : = / (j) n -i(u)(p n -i(x - u)du + 2 


0n— 1 ( ^)0ri— 1 (u x)du, 


(5) 


with 0i (x) = 1. 

Theorem 2.1. For any fixed natural number n, 

Rn,m ^ 0n(O), TTl ^ OO, 

where the limit is obtained from the integral recursion (J5]). 


To illustrate Theorem 2d, take N = 16, L = 1000, and M = 10 45 . Then the expected 
number of zero-sum vectors is /i = 1000. In practice, finding all zero-sum vectors out 
of L N = 10 48 candidates is a time consuming task. In this example we have n = 4 
and m is approximately 150. Judging from Figure [2] illustrating the typical values for 
the proportion factor R n . m using numerical computations based on the recursions for (J7]) 
presented in the next section, out of a thousand solutions the Wagner algorithm will 
catch no more than one. 

Theorem 2.2. For a random matrix ([l]) consider the number Vo of vectors ([2]) such that 
Oji,i + • • • + a,i N n — 0. Then 


Y,f( v « = k: > 




k =0 


k\ 


< 4(1 — e -/i )M , 


where /a = L N M 1 . Furthermore, if N = 2 n and M = 2 m + 1, m > n, then with 

^ T Pn,m 

X k e~ x 


Y,\m' = k) 


k =0 


k\ 


< 8(1 -e~ x )ixNL-\ 


According to Theorem T2, Poisson approximation for Vo works well when L N M. 
For W , a sufficient condition for the Chen-Stein bound to be small is NL n ~ 1 M. 
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Figure 2: The ratio of the means Q for n = 2,3,4 are plotted as functions of m. The 
limits predicted by Theorem 12.11 are indicated by horizontal dotted lines. 


3 Key recursion 

Consider a backward recursion 

i 


v i(j) = ^2v i+ i(k)v i+1 (j -k) + 2 ^2 v i+1 (k)v i+1 (k - j ) 

k=j +1 


( 6 ) 


k =0 


involving a system of vectors (u«(0),... , Uj(2* x )) for i > 1. In particular, we have 


Ui(0) = v 2 +1 (0) + 2 ^2 y2 i+1 {k). 


k= 1 


For 1 < i < m — 1, denote by v\ rr ^ (j ) the unique solution of ([6]) determined by the 
following frontier condition 

Um-l(O) = • • • = ^n-l(2 m - 2 ) = (1 + 2 m ) _1 . 


By the forthcoming Corollary 3.2, we can write p n ^ m = v^2 n (0) so that 

Rn,m = (1 + 2 m )ujSn(0), n = 1, . . . , 771 - 1. 


(7) 


Lemma 3.1. Let 1 < n < m — 1 and H n (x) be defined by (|3|. Assuming that x is a 
random vector with independent component uniformly distributed over D m , put 


Then 


Pi,m(j) ■= P (Hi(x) = j). 


Pl,m(—2 m ) = ■= Pl,m(2 ) = ( 2” 1 + 1 ), 


4 











we have p i>m (-j) = Pi,m(j) with p itm (j) 


and for 2 < i < m — 1 and 0 < j < 2 m 1 1 , 
satisfying the recursion 

j 

Pi,m(j) = ^2Pi-l,m(k)Pi-l,m(j ~ k) + 2 ^ Pi-1,m(k)Pi-l,m (k - j ) • 

/c=0 fe=j+l 

Proof. There are exactly M = 2 m + 1 different ordered pairs of numbers from the set D m 
that add modulo M up to a given j e D m _ i. These pairs have the form: for j = 0, 

(—2 m_1 + jfe, 2™- 1 - fc), fc = 0,..., 2 m , 

for j = 1,..., 2 m " 2 , 

(—2 m_1 + k, —2 m ~ 1 + j - k - 1), k = 0,..., j — 1, 

^2 m - 1 + k,2 m - 1 +j-k), k = j,...,2 m , 
and for j = — 2 m_2 ,..., —1, 

(2 m_1 — k, 2 m ~ 1 + j + k + 1), k = 0, - 1, 

(2 m - x - k, —2 m ~ 1 +j + k), k = |j|,... ,2 m . 

Since these pairs appear with equal probability M~ 2 , the first claim follows. 

On the other hand, for a given j € with ?' > 2, there are only M — \j\ different 

ordered pairs of numbers from the set D m _ i+ \ that add modulo M up to j. These pairs 
have the form: 


(—2 m ~* + k, 2 m ~ i + j-k), k — j,, 2 m ~ i+1 , j = 0,..., 

(2 m " i - k,-2 m ~ i +j + k), k = \j \,..., 2 m-i+1 , j = -2 m ~ i ~\...,-l. 

This yields for j = 1,..., 

2 rn ~ i+1 

= V Pi-1,m(-2 m-t + A:)pi_i im (2 m- * - A: + j), 

k=j 
2 rn ~ i+l 

Pi,m(-j ) = X] Pi-1,- A:)pi_i, m (-2 m- * + k - j). 

k=j 

The stated symmetry property Pi, m (~j) — Pi,m(j) now follows recursively from the as¬ 
sumption of uniform distribution. To finish the proof of the lemma, it remains to observe 
that after replacing k — 2 m ~ l by / in the last relation for Pi, m (j) we get 


Pi,m(j) 


which in turn equals to 


V Pi-1,m(l)Pi-l,m(j - l), 
l=j-2 rn ~ i 


j 2 m-i -1 

V Pi-1,m(l)Pi-l,m(j ^1) + V Pi-1,m(l)Pi-l,m(l ~ j) + V “ 0 

/=0 l=j +1 l=j-2 rn ~ i 


j 2 rn ~ i 

= VPi-l,m(fe)Pi-l,mC7 + 2 V Pi-l,m(fc)Pi-l,m(fc-.7)- 

fc=0 fe=j+l 


□ 
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Corollary 3.2. Comparison of the key recursion in Lemma 3.1 with the recursion (§ 
yields 

Pm—i,m (j ) = V^ m) (j). 


4 Proof of Theorem 12.1 


Recall ([7]) and put 


Rn,m(j) = 2 m V { ™2 n (j), Km(x) := 2~ m ). 


We prove Theorem 2.1 by verifying a more general convergence result 


«n,m := max \R n ,m(j) - <f>n,m(j)\ 0, myoo. (8) 

0<j<2 m - n ~ 1 

To this end we use induction over n. The base case n — 1 is trivial. To prove the inductive 
step observe first that by ([6]) 

j 2 m-n 

Rn,m(j) = 2 _m ^ Rn-l,m(k)Rn-l,m(j ~ k) + 2 1 ~ m ^ Rn-l,m{k) R n -l, m {k - j). (9) 

k=0 k=j +1 

It is easy to see recursively that the constant 

C n := sup max R n ,m(j) 

m>n 0<j<2 m ~ n ~ 1 


is hnite. 

On the other hand, by (J5]) , 


)—m I ± /.,\i / • .A j.. i ol —m I 


4>n,m(j) 2 / fn— l,m(^)0n—l,m(j u)du T 2 / 0n— l,m{jk)4*n—l,m(p j)du, 

JO Jj 

so that 


j 

0n,m(j) 2 ^ ^ l,m(^)0n—l,m(j ^) 

k=0 

2m — n 

_|_ 2 1 m <f>n-l,m{k)<f> n -l,m{k — j) + e njTn (j), ( 10 ) 

fe=j+l 

with accordingly defined remainder term e nm (j). Uniform continuity of <f n (x ) yields 
uniform convergence e n ,m (j ) — >■ 0 as m — » oo, and ([8]) follows from ([9]) and ( floj) , since 

a«,m < 2 [C n _i + max 0 n (x)l + max |e n ,m(j)l- 

0<x<2~ n 0<j<2 m ~ n 
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5 Proof of Theorem 12.2 


The following result is a straightforward corollary of Theorem 1 from pj and is a key tool 
for our proof here. 

Lemma 5.1. Let Z = J2 ieJ Xi be a sum of possibly dependent indicator random variables 
with E (Z) = (. Suppose there is a family of subsets J* C J such that for any i e J and 
k ^ J i, indicators Xi an d Xk are independent. Then 


c 

4(1-e-C) 


E p (Z = k) 

k =0 


C fc e c 

k\ 


< E (Xi)E(y fc ) + ^ E {XiXk). 

i£j k£Ji i£j k£Ji\{i} 


We start the proof of Theorem |2.2| by observing that V 0 = Yliej Xi-> where the indicator 
random variables 


Xi = 1 


{ a il + 


,N b)} 


i — (i\,, ijy ) 


are identically distributed with E(xi ) = and mutually independent. Independence 
is due to the defining property of the matrix A. Indeed, if k ^ i and (without loss of 
generality) 1 ,... ,j are the coordinates where these two vectors differ, then 


P(Ofci,l + • ■ • + = a ii,l + • ■ • + ai N} N — 0) 

= P(flfci,i + • • • + a kj j = a iu i + ... + a^j = —cii j+lt j+i — ... — ch n ,n) 

= P(ofci,i + ... + a kj j = b ; + ... + = 6; ai j+1 j + ± + ... + = ~b) 

beDm 

= M 1 P(aj li i + ... + a^j = b ; + ... + ai Nj N = —b ) = M 2 . 

b£Dm 


Therefore, we can apply Lemma 5.1 with J* 
follows from E(Vq) = // and 


{-£}, and the Chen-Stein bound for V 0 


V V E(xi)E(x&) = L n M - 2 = 

ieJ keBi 

To obtain the Chen-Stein bound for W, we define Ji as the set of k 6 L such that 
vectors i and k share at least one component. Observe that 

\Ji\ — L N — (L — 1) N . 

By definition of W, 

W = Xil Xi = 1 ( kf n (a.;,)=0} ) 

ieJ 

so that E(xi) = p nt7n and therefore, 


E E E (») E (») = L n (L n - (L - 1 < NL-' A 2 . 

iGt/ k£ji 

Since a Wagner’s solution is necessarily is a zero-sum vector, we have for i ^ k, 

E (xiXk) = P {H n (cn) = 0; H n (a k ) = 0) < P(a fcl ,i + • • • + a kN:N = 0; H n (ai ) = 0). 
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Let ... ,lj are the coordinates where the vectors i, k differ. Then it follows that 
E (xiXk) < P ( a h 1 ,h + • • • + = 6; + • • • + = b; H n (ai) = 0) 

b(zDm 

= M~ l ^2 p («ii 1 ,li + • • • + ^.,/j = 6; ^n(Oi) = 0) = 
beDm 

and we get 


^ ^ E (xiXk) < L n (L n - (L - 1 ) N ) Pn , m M~ l < NL 


The proof is finished by applying once again Lemma 5.1 
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